1. Technical Field
This invention relates to the field of network security, and more particularly, to defending against attacks on network servers.
2. Description of the Related Art
Network security is a growing concern for operators of network servers, for example Internet servers. Computer hackers frequently attack network servers to cause disruption in network services as well as corrupt data. Notably, there are a myriad of possible ways a network server can be attacked. For example, computer hackers frequently use techniques to search for open ports through which the server can be attacked. Once an open port is found, hackers often attempt to circumvent the server's security in order to gain access to secure files.
Another method commonly used by computer hackers, known as a denial of service (DoS) attack, is to attack a server in order to tie up server resources so that the resources become unavailable to establish any new client connections. Accordingly, when valid clients attempt to connect to the server, the server responds by issuing denial of service responses.
One DoS attack technique, known as SYN flooding, exploits a connection establishment protocol commonly referred to as a three-way handshake. The client system begins the three-way handshake process by sending a synchronous (SYN) message to the server. A SYN message is a bit flag in a TCP header that when set indicates that synchronization is requested with a remote server. The server then acknowledges the SYN message by sending a synchronization acknowledgment (SYN-ACK) message to the client. The client then completes the connection by responding with an acknowledgment (ACK) message. Once the connection is open, service-specific data can be exchanged between the client and the server.
A half-open connection occurs when the server responds to a client by sending a SYN-ACK message, but never receives a responsive ACK message from the client. SYN flooding works by creating scores of half-open connections. This is commonly accomplished using a technique known as IP-spoofing, wherein an attacking client sends apparently legitimate SYN messages to a victim server. The SYN messages, however, are not legitimate in that the SYN messages reference other clients that are unable to respond to the SYN-ACK messages. Hence, the victim server never receives the ACK message completing the connection.
The data structure on the victim server for the half-open connections will eventually fill, rendering the server unable to accept any new incoming connections until the table is purged. Accordingly, legitimate clients attempting to connect to the victim server will receive the DoS response. Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system can recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the pending connections expire, thereby causing the server to crash or to otherwise be rendered inoperative.
Methods currently exist to provide a measure of security against DoS attacks while still allowing client-server communications. These methods, however, are only moderately successful. One such method randomly changes the server port addresses through which a server and a client communicate, calculating each new port with a random number generator. Both the client and server use a copy of the same random number generator and share a random seed, which is a value that a random generator uses to start the random number generation process. Accordingly, the order in which random numbers are generated at both the server and client ends of the communication link remain synchronized. Hence, the client and server can each calculate the same sequence of port addresses used for changing ports.
One disadvantage of such port-jumping, security techniques, however, is determining the period which each port is to remain open prior to jumping to a new port. If a particular port address is open too long, a hacker may have enough time to scan the server, find the open port, and infiltrate the system through the open port. If a port address is not open long enough, the port may close before a packet sent by a client arrives, especially if there is a high network latency between the client and the server.
Network latency, which is a synonym for network delay, is an expression of how much time it takes for a packet of data to get from one designated point to another. The contributors to network latency include propagation, transmission, router, processing, and other computer and storage delays. Propagation delay is simply the time taken for a packet to travel between one place and another at the speed of light. Transmission delay is delay introduced by a transmission medium itself, for example, optical fiber, electrical wires, and other transmission mediums. Router and processing delays are caused by the time taken to examine and possibly change the header in a packet at each gateway node. Computer and storage delays occur at each end of network where a packet may be subject to storage and hard disk access delays. Notably, computer delays also can occur at intermediate devices such as switches and bridges.
Because latency results from multiple contributors, it is difficult to gauge how much latency will be associated with a given connection. Further, changing conditions of the network environment effect the various delay times. For example, network congestion can cause increased router and processing delays. The propagation and transmission delays can be affected if network congestion causes alternate transmission routes to be used for client-server communications. Moreover, computer and storage delays can be affected by increased server load which reduces available server resources. Hence, current security techniques commonly keep ports open for a relatively long period of time to insure that the ports are open long enough to receive all packets that are sent to the ports during high network latency periods. If the ports are close too quickly, packets can be blocked by a closed port and the client-server connection can be lost.